Thoughts on business ethics, corporate governance, risk management and compliance

Main menu

Tag Archives: Controls

Post navigation

Cohen and Folsen’s Routine Activity Theory of Crime, appeals to me at an intellectual level to understand the increasing rate of crime in Indian society. However, it contradicts my personal philosophy about human beings. The theory presumes that every human being basically has a criminal tendency and is capable of crime. I believe that human beings are inherently good and each human being irrespective of the crimes they have committed is capable of good deeds. Hence, I will try to discuss the theory without bias and balance the two opposing views. If I sound partial towards my philosophy, then forgive me from the goodness of your heart.

1. Introduction

The theory was based on analysis of US crime data of 1947-1974. During this period the average income of families increased, number of people below poverty line decreased, education levels improved, and unemployment levels decreased. However, the rate of violent crime in urban areas increased – rape (174%), assault (164%), robbery (263%) and homicide (188%).

The Indian urban society is showing similar trends since liberalization in 1990s. While growth, income, economy, facilities, education etc. has significantly improved in urban areas, the rate of crime has increased exponentially. Before, in 1960s and 1970s, others would ostracize a middle class person if he were publicly involved in criminal activity. Now, nearly every second person is involved in a corrupt and unethical activity openly. Though we blame it on deteriorating social values, this theory helps us understand why we compromise the values and participate in a crime.

2. Concept

The theory states that “structural changes in routine activity patterns can influence crime rates by affecting the convergence in space and time of three minimal elements of direct contact predatory violations: (1) motivated offenders, (2) suitable targets, and (3) the absence of capable guardians against a violation”. Lack of any one of these reduces crime. However, the level of control exercised by the guardians has a direct impact on crime. Even if motivated offenders and suitable targets remain the same, if control reduces, crime increases. The theory states that income of the offender does not have any impact on his desire to commit crime and contradicts the popular notion that people with less income have a higher propensity to commit crime.

Now this can be understood in Indian context. The number of people living away from their traditional homeland has increased as more people are living in nuclear families or as singles in different cities. The change in social behavior has changed the routine activity of people as social controls of family and community have decreased. These aspects reduce the worry of motivated offenders on how their community will judge them if they participate in unethical behavior. Secondly, the same aspect makes suitable targets more vulnerable to crime as protective layers have reduced. Hence, due to this changing social structure, motivated offenders and suitable targets have both increased. With it, the corruption in law enforcement agencies has reduced control. The sum total of it all has increased the crime rates in Indian urban areas.

3. Effect

Then the theory states that motivated offenders cooperate to strengthen their efficiency in criminal activities. On the other hand, the potential victims join hands to gain collective strength to protect themselves from the attack. The challenge becomes bigger for potential victims when high-net worth individuals undertake criminal activities. The potential victims risk of victimization increases.

From the Indian context, the driver for change in social values has been the thirst for money and power. The higher level of ambition for being powerful and materialistically successful has motivated people to break the traditional social norms and move towards corruption and crime. Previously, the lack of a good criminal justice system was compensated by strict controls from family and community. Now all the three guardians have decreased control and the value of rewards gained from criminal activity is high. The other factor to consider is that voluntary help groups and social support groups are less in India; hence, the potential victims do not get the desired protection. As Cohen said – “it is ironic that the very factors which increase an opportunity to enjoy the benefits of life may also increase the opportunities for predatory violations”. Crime has become the by-product of freedom and prosperity as it has enmeshed itself in routine activities of daily life in Indian urban society.

Closing Thoughts

My personal belief is that for every action, especially criminal or unethical activity, a person needs to ask whether they need to involve themselves in it. When one accepts rewards for the wrong reasons, one cannot avoid punishment for the wrong reasons also. Hence, why go for the wrong rewards in the first place; and if one has received them, why not return them? When one is in a financially strong position and survival does not depend on income from criminal activity, why not refuse to undertake that activity. No one can involve another in a criminal activity if the participants do not wish for any monetary benefits. Hence, to enjoy the benefits of life, say no to crime and unethical activities.

Can something as simple as appreciation make business teams more willing to accept a risk manager’s viewpoint?

———————————————————————————————–

The Conflict

Proverbially risk managers are locking horns with business managers. Of course business managers out number risk managers, hence more often than not risk managers are licking wounds and complaining that business managers don’t listen to them. Business managers claim that they are running the show, so an interfering risk manager who is perpetually criticizing their hard work should be shown the door.

Then risk manages lament that it is their job to high light risks which means negatives, so why go after them for being messengers of bad news. The conflict brews and sometimes reaches boiling point. No one wishes to see eye to eye because they wish to get eye for an eye. End result, the business suffers in this battle.

What if risk managers change the approach? With the criticism they give a lot of positive reinforcement? Will the behavior of business managers change?

Research on Role of Positivity in Performance

Marcial Losada and Emily Heaphy conducted a research titled – “The Role of Positivity and Connectivity in the Performance of Business Teams – A Nonlinear Dynamics Model”. They studied the dynamics of team interaction in relation to approving and disapproving verbal feedback statements. Researchers coded the verbal communication among team members along three bipolar dimensions, positivity/negativity, inquiry/advocacy, and other/self. Sixty teams developing annual business strategy were analysed.

The results of the study have extremely important implications from business performance aspect and for risk managers. The table below defines the ratios of various dimensions.

The positivity/ negativity ratios indicate that high performing teams give 5.6 positive comments to 1 negative comment. In contrast the low performing team give three negative comments to one positive comment. The medium performing teams give approximately two positive comments to one negative comment.

Similarly, under inquiry/advocacy ratios, the high performance teams are more balanced in their approach towards inquiry and advocacy. The team members question in an exploratory way. On the other hand, low performance teams are highly unbalanced and members advocate their own viewpoint. The medium performance teams are little bit tilted in favor of advocacy.

Again, high performance maintained a balance in discussing internal and external aspects. Whereas, low performance teams focus on internal inquiry. The medium performance are slightly more focused on internal than external aspects.

Thus, the high performance team have higher levels of connectivity, which results in better performance.

Overall, high performing teams show buoyancy throughout the meeting. They appreciate, compliment and encourage their team members. This expands the emotional space for team to function. In contrast, in low performance teams sarcasm and cynicism rules which restricts the emotional space. There is lack of mutual support, enthusiasm and a high degree of distrust. The medium performance team don’t show distrust or cynicism but neither are they openly supportive and enthusiastic about their team members.

Implications for Risk Managers

The results are very important from a risk manager’s perspective. As the author states – “to do powerful inquiry, we need to put ourselves sympathetically in the place of the person to whom we are asking the question. There has to be as much interest in the question we are asking as in the answer we are receiving. If not, inquiry can be motivated by a desire to show off or to embarrass the other person, in which case it will not create a nexus with that team member.”

Hence, from the time we approach the business team, we need to ensure that we are inquiring about the business. We should not be advocating any quick recommendations based on high-level interactions.

Another point to note is that the questions should cover both the internal and external environment of the business. This would motivate the business team into a more open discussion.

The most important point is about positive feedback. In our verbal communication and written reports we focus on highlighting the negatives.

The research showed that positive comments (that is a terrific idea) create emotional space within the listener, hence the listener is more willing to take the feedback. The emotional space created by positive comments in high performing teams is twice the size of medium performing teams and three times that of low performing teams.

Negative reporting restricts the emotional space of the business team. To build a positive environment for acceptance of our views, recommendations and report, we need to give 6 positive comments for each negative comment.

The researchers have given equations to assess the emotional space based on various dimensions. It might be a good idea to calculate the same before issuing a report.

Closing thoughts

One of the incorrect assumptions that risk managers make is that there is a linear relationship between the observations and recommendations in the report. However, the study showed the impact of non-linear relationships on functioning of teams. Hence, the fault may lie in the straight forward cause and effect attitude taken by risk managers to get buy-in from business managers.

We generally discuss that in reports we should highlight the positives first to balance out the negatives. This research clearly points out the importance of doing so and the reasons why we are failing. We have to change our approach to be effective. We need to be part of the business team, develop a positive feedback system before giving any negative observations

In December, senior management focuses on formulating strategies. Department heads prepare business plans and budgets. Risk management departments define the next year’s agenda and plans. Everyone works hard at planning and preparing for the coming year. However, most of the efforts are in vain and result in failure. The problem is that generally people do these activities independently and make no attempt to align them. The ideal integrated sequence is below.

However, this does not happen. For instance, department heads do capital expenditures while ignoring the strategy. Business teams define performance indicators and risk managers establish risk indicators, without syncing the two indicators. Situations occur where desired performance is achieved at very high-risk levels. Business teams ignore the risk levels until disaster occurs. With the multitude of unsynchronized management information, boards make incorrect decisions with information overload. Hence, at the end of the year only a few organizations can claim that they achieved the strategy and targets.

The Chief Financial Officers (CFOs) can play a pivotal role in bringing the different facets together. CFOs sit on the board and participate in the strategy formation process. Department heads submit their plans and budgets to CFOs for review and consolidation. Generally, Chief Audit Executives (CAE) administrative reporting is to the CFO. Quite frequently, CFOs act as defacto Chief Risk Officers (CRO). Hence, CFOs can put the jigsaw puzzle together. The key things they need to look into to revamp the process are as follows:

1. Strategy Formulation

The common misperception is that organizations have a proper strategy formation process. In reality, the ideas supported by the CEO and politically strong CXOs are adopted without much constructive discussion since no one wishes to rock the boat. Secondly, a formal strategy process is not in place in most organizations. Moreover, at the time of strategy formation upside and downside risks remain unidentified, as CXOs do not invite CRO to the discussion. The CFOs can influence the other CXOs to implement a formal strategy development process and conduct a strategic risk assessment in each phase of strategy formation.

2. Business Plans

While strategies are for 3-5 year period, business plans are drawn annually. However, the changing business landscape makes business plans redundant on formation. Reason being that business plans are prepared on a set of assumptions on customer behavior engagement and market situation. Real interaction with customers and entry into the market prove most of the assumptions incorrect. Additionally, department heads make independent business plans to show one up man ship. Hence, performance objectives are missed and risks remain unidentified. The need of the hour is for businesses to react fast and give cohesive messages in response to market changes. Therefore, CFOs must make the business planning process dynamic and integrated.

3. Budgets

More than 60% of the organizations are unsatisfied with their ability to link strategy to operating budgets. Additionally, organizations spend 4 to 6 months in preparing budgets with numerous iterations back and forth between departments. Meanwhile the business plans change due to the volatility in the market. Hence, organizations are feeling the need of speed in the budgeting and forecasting process. CFOs must adopt rolling forecasts rather than static budgets to improve planning and control. Rather than doing post facto variance analysis they can collaborate with business teams to give real-time analysis.

4. Performance Indicators

Performance indicators measure the reward side of the strategy. Without the risk indicators, they give an incomplete picture of business status. Another aspect is that performance indicators and risk indicators for the same strategy or plan are not aligned together and are reported at different periods. Organizations sometimes continue to measure redundant parts and do not update the indicators with change in strategy and objectives. A prime example is the financial crises. A few banks achieved performance targets without understanding the risk levels. Hence, CFOs must use technology to create relevant dashboards to monitor indicators to keep a firm grasp on the business.

5. Risk Indicators

Risk managers fail to address the twin shortcomings in process of identifying key risk indicators. Firstly, risk managers do not ascertain strategic risk indicators. Secondly, a lot of meaningless indicators are created which do not really find out the overall business risks. Hence, CXOs fail to separate the noise from the inflection points. Moreover, Nassim Taleb’s point of view that most significant risks are unpredictable needs to be thought over. There might be too much data available and organizations might look at risk indicators they are comfortable with, until the bubble bursts. CFOs can identify key risk indicators for strategy and business plans, and synchronize them to performance indicators. That will close the loop and move the business in the right direction.

Closing Thoughts

Synchronizing multiple factors between strategy and indicators influences a company’s capacity to achieve goals. With predictions of recession and volatile business environment, dropping the ball is highly probable. Understanding which economic predictions to rely on, which market trends will impact long-term and what are the strategic inflection points, spells the difference between success and failure. Hence, CFOs must play the vital role of coordinating and aligning various steps between strategy formation and identifying indicators.

The previous post raised more questions than gave answers. In light of the on-going investigation, it is difficult to predict results. However, I looked at the recently released FCPA Resource Guide to the U.S. Foreign Corrupt Practices Act by the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission. It sets some clear guidelines and mentions earlier cases with similar issues. It is a good read for Indian managers working in multinationals dealing with FCPA compliance requirements. I am sharing below some insights about the implications of the case.

1. Liability of Indian Employees

As per reports, the CFO and the legal team were suspended during the course of the investigation. If the US Department of Justice decides to pursue a criminal case, these employees can be prosecuted.

Interestingly enough, the Indian managers consider their capability to bribe various government officials to get a job done as strength. One often hears them saying – “Oh, I have a contact; s/he will do the job for X amount of money. Don’t worry about the legal provisions, they can be circumvented.” Since one rarely hears any action being taken by regulators on the provisions of Prevention of Corruption Act of India, hardly anyone hesitates to take or accept a bribe.

However, Indian employees working in multinationals have to think twice about paying a bribe to get a job done. The FCPA guidelines are strict. It states – “The FCPA’s anti-bribery provisions can apply to conduct both inside and outside the United States. Issuers and domestic concerns—as well as their officers, directors, employees, agents, or stockholders—may be prosecuted for using the U.S. mails or any means or instrumentality of interstate commerce in furtherance of a corrupt payment to a foreign official.” Hence, even sending mails to US boss or colleague that involves a discussion of a bribe payment can make an Indian employee liable. Considering the provisions, the best policy for Indian employees is to keep their hands clean and follow the legal process diligently.

Another aspect to note is that a bribe does not need to be paid to hold an employee liable. The guidance note says – “Also, as long as the offer, promise, authorization, or payment is made corruptly, the actor need not know the identity of the recipient; the attempt is sufficient. Thus, an executive who authorizes others to pay “whoever you need to” in a foreign government to obtain a contract has violated the FCPA—even if no bribe is ultimately offered or paid.” Hence, Indian management and employees both can be prosecuted on this basis.

2. Challenges for Licenses

With the opening of the retail sector, multinationals need to obtain various licenses to operate in India. The challenge is getting the licenses according to their business strategy and plan.

For instance, IKEA recently obtained from Foreign Investment Promotion Board (FIPB) to invest euros 1.5 billion to open 25 stores in India. However, IKEA was granted permission to open single brand stores for furniture only. It was denied permission to sell textiles, office supplies, food and drinks.

Now the question is, under these circumstances what options will the foreign investor consider? Will they agree to sell products according to permission? The permissions maybe denied for the most profitable lines of products. It may not make sense to sell products with low margins. Hence, they will have the difficult choice of either not entering the Indian market or attempt to influence the government agencies to grant permissions for selling other products. If the second option is chosen, there is a high probability of bribes being paid. More so, since Indian government officials know what will hurt the business venture of the foreign company, they might use denial tactics to coerce the organization into paying bribes. Hence, it is a vicious circle.

A LinkedIn member gave a useful suggestion to curb bribes in the licensing process. Rangarajan Gopalan, Investigator US Department of Homeland Securities in New Delhi, suggested a single window concept for obtaining licenses in retail industry. If government implements the suggestion, the retail companies will not have to run around 32 different agencies to get licenses.

3. Partner Liabilities

In the event of the holding-subsidiary relationship or joint venture partnership, the Indian company can be charged jointly and/or separately.

The guidance note illustrated the implications with a previous case. For instance, “a four-company joint venture used two agents—a British lawyer and a Japanese trading company—to bribe Nigerian government officials in order to win a series of liquefied natural gas construction projects. Together, the four multi-national corporations and the Japanese trading company paid a combined $1.7 billion in civil and criminal sanctions for their decade-long bribery scheme. In addition, the subsidiary of one of the companies pleaded guilty and a number of individuals, including the British lawyer and the former CEO of one of the companies’ subsidiaries, received significant prison terms.”

Hence, if the US company is ignorant of the bribes being paid by Indian employees to conduct business, the Indian employees can face criminal charges and the Indian organization may have to pay hefty fines.

Closing Thoughts

The Indian organizations need to assess their FCPA compliance level and not take the issue lightly. The repercussions of ignoring the issue are huge. The legal and reputation risks can put the company to a great disadvantage. Moreover, the employees must follow the legal process rather than find ways to circumvent it.

PWC Internal Audit survey highlighted one critical shortcoming of Chief Audit Executives and Internal Audit Department. The risks that business teams consider critical are being ignored. I have been covering some of the risks on the blog, namely – people risks, competitive advantage, innovation and creativity, marketing, country risks, etc. According to the survey, more than 20% of the stakeholders reported that internal audit paid too little attention on these risks. Hence, the question is why are internal auditors and risk managers not looking at them. Take a look at this chart first.

PWC Internal Audit Survey 2012

From the survey results, two assumptions can be made. First, the internal audit function is still focused on auditing the processes that link to the financial numbers. Second, they are not understanding the business aspects of the organization. As given below, three things need to be done.

1. Understand business requirements

The situation reminds me of an Archie-Veronica joke. Veronica is trying out a new pair of jeans in a store. She looks in the mirror and says – “The jeans are tight, I wonder what could be the problem.” Archie promptly replies – “You might have gained a few pounds”. Veronica gives one whack on Archie’s head and again makes the same statement. This time Archie replies – “The store may have marked a wrong size on the jeans”. If the internal audit reports were hard hitting, business teams may give the internal auditors a rosy picture. They may not be sharing the true concerns in respect to various business risks. Hence, internal auditors would focus their energies on some unsubstantial risks. Improve the communication with business teams to understand the risk environment. Create an environment where truthful interactions occur.

2. Add in next year business plan

Last quarter of the year has started today, and most of the organizations will prepare 2013 plans in this quarter. This is a good time to understand the business risks and prepare the 2013 annual audit plan and budgets accordingly. Coordinate with the business teams to understand their annual plans. Identify the risks relating to the plans. Discuss with the teams on how internal audit function can help them. Attempt using collective intelligence and crowd sourcing techniques to develop your plan. Where required, take a call to provide advisory services rather than assurance services. Business managers expect much more from the internal audit function. Hence, gear yourself to meet if not exceed those expectations.

3. Develop talent and skills

In the 20th century internal auditors audited the same financial numbers as external auditors. In the 21st century, the function requires revamping. In my previous article – “New Risks and Uncertainties in 21st Century” – I had conducted a poll. I had asked respondents whether they thought present day risk managers were equipped to deal with 21st century risks. Out of 17 total votes, 15 had responded that less than 50% of the risk managers can manage the new business risks. The verdict was by the risk managers about risk managers. Don’t be a dinosaur and learn new skills to survive in the market. In another 5 years when Gen Y become middle managers, Gen X may become redundant.

Closing Thoughts

With the turmoil in various economies, the 2013 risk landscape will be drastically different. Organizations that are well geared in risk management, have a higher probability of sailing through. Internal auditors and risk managers need to incorporate the impact of globalization, technology and social media in their annual plans. There is no purpose in serving stale bread and expecting business teams to swallow it. Rejuvenate in the new business age.

Wishing all my readers a Happy Gandhi Jayanti. Let us pray that each person believes a little more in non-violence and work towards a peaceful world.

Currently, media is brimming with stories of corruption, greed and unethical behavior in the corporate world. Risk managers are targets of public ire. All are under fire – compliance officers, fraud investigators, auditors, etc. The stakeholders and public are rightly questioning their commitment and capability in discharging their duties. Under such circumstances, a few risk managers must be contemplating whether it is the right time to change and take up different corporate roles. Let us address the three main aspects of the decision.

1. Why am I in it?

Risk management roles have two sides. The positive aspect of the role is that it is intellectually stimulating as risk managers learn various facets of the organization. On the flip side, it is a thankless job as their advise and reports rattle most business executives. They never win a popularity contest, are not welcomed with garlands and operation teams think of them as party poppers.

Risk managers to function diligently need high emotional intelligence, integrity, courage and an altruistic temperament. They have to stand up and give negative information to senior managers, even at the risk of being shot, for the betterment of their organization. With the same qualifications and experience, they can get a line job, most probably a better paying one. Hence, why should they continuously face flak, stress and heart-burn? The reason is passion. It goes back to why a person chooses a specific field. As Confucius said longtime back – “Choose a job you love, and you will never have to work a day in your life.”

2. Can I do other jobs?

Risk management is a specialized field. The knowledge level required is so high, that a credit risk manager cannot do the job of an operational risk manager or vis-a-versa. K.Anders. Ericsson in his paper “Making of an Expert” analysed that it takes 10,000 hours of incremental learning to become an expert in a specific field. That is, it approximately takes 10 years to master an area. He categorically mentioned, there are no born geniuses, and there is no substitute for hard work.

Stories of success of Bill Gates and Steve Jobs, leads us believe that college drop-outs made it big, so why can’t we? Gates and Jobs, both started learning and continuously working in computer field from the age of thirteen. By the time they dropped out of college, they had 8000-9000 hours of studies and work time in computers. Hence, it isn’t surprising that they could leverage their knowledge successfully.

Therefore, the choice is whether one wishes to be a generalist or a specialist. It again comes back to, whether a person wishes to work for money or fulfill their passion. Normally, if a person works in an area they are passionate about, they find their life more meaningful and rewarding. Their happiness and positive attitude translates into more successful careers. Hence, aim at being an expert in your area.

3. So many failures!

Should the risk management failures dishearten risk managers to the extent of changing careers? I think not. At this time, the world requires well-trained and dedicated risk managers. This is a century of chaos; organizations are in for a roller-coaster ride in this decade. Risk managers can steer them into safe harbors, facilitate them in leveraging upside risks and mitigating downside risks. When the times are tough, the tough get going. Now risk managers need the stamina and perseverance of sports people. Let us take a leaf out of Michael Jordan’s career –

“I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.”

Closing thoughts

Risk managers in this age of turbulence can play a pivotal role in shaping the future corporate world. To do so, they need passion and commitment. I am sharing with you Isabel Allede’s speech on tales of passion. Isabel is awesome – witty and inspiring at the same time. I hope you too become a dedicated risk management activist after hearing her. Just discover your passion.

The king of good times is facing hard times. Launched in 2006, with much fanfare by its Chairman, Mr. Vijay Mallya, Kingfisher Airlines (KFA) is presently in dire financial straits. After the euphoria abated, KFA’s strategy, performance and financial health has been questioned from mid-2008. Now the company is facing major financial and operational problems. The press statement from KFA, on 12 March 2012, highlights the challenges:

“The flight loads have reduced because of our limited distribution ability caused by IATA suspension. We are therefore combining some of our flights. Also, some of the flights are being cancelled as a result of employee agitation on account of delayed salaries. This situation has arisen as a consequence of our bank accounts having been frozen by the tax authorities. We are making all possible efforts to remedy this temporary situation.”

KFA is a good case to understand the impact of failure in risk management. The management ignored the warning signs of stormy weather and failed to navigate the company into safety.With hindsight, some of the important decisions made by the airline appear incorrect. Let us analyse the top 5 risks.

1. Strategic Risk – Market Analysis

KFA was launched as a premium business class airline. That was the first mistake, a lack of understanding of customer requirements and basing a decision that luxury sells in airlines. Organizations focus on reducing costs and usually just CXOs are allowed business class travel. Rest of the staff mostly travels by economy class. Moreover, buying most expensive business class tickets doesn’t go down well when seniors aim to project the image of walking the talk.

Even consultants, whose travel tickets are paid for by clients, hesitate to book KFA tickets. It appears that they are abusing privileges. Hence, the market size for business class tickets is small in India.

Secondly, internationally Southwest Airlines operating model has proven successful. It is a low-cost airlines, provides minimum frills to customers at reasonable rates. Mr. Mallya, highly successful in liquor business, didn’t comprehend the differences in customer preferences within the two industries. Customers may buy expensive alcohol, but not airline tickets, since the total cash outflow is higher. It is a price sensitive market. Therefore, KFA adopted an incorrect strategy from the start as it failed to understand the market dynamics.

2. Strategic Risk – Merger with Air Deccan

KFA acquired Air Deccan, a low-cost airline in 2007. Five years of operations is a key criteria for an airline to fly internationally. Hence, KFA acquired Air Deccan’s international flying rights and simultaneously entered the cheaper market segment. It made the following announcement in September 2008 financial results commentary:

“The merger of the two operating airlines into one corporate entity has also enabled savings on operating costs such as Engineering and Ground Handling, Insurance and Catering. Employee costs have also been addressed through an integrated organization which enabled the Company to terminate the contracts of most expatriate staff and impose a hiring freeze on new appointments.”

After the merger, first signs of trouble cropped up. As per a Business Today article, it became the largest Indian airline with 27.5% market share, and domestic travel increased by 30%, however it didn’t make profits. Despite the fact the its main rival – Jet Airways – continuously showed profitable quarters.

KFA showed growth in numbers while having lost the strategy. With the merger, it lost its brand image of a premium business class airline. It expanded with the speed of a jet without building a base and resolving the post merger challenges. This set the course for a bumpy ride.

3. Strategic Risk -Investment in Planes

“Aircraft Engine/Lease Rentals: Aircraft/engine lease rentals stood at Rs. 984 crore (USD 197 million) during the twelve month period from April 2010 to March 2011. Your Company operated 67 aircraft (scheduled and non scheduled) in the year under review, 13 of which are owned through finance leases and 54 are held under operating leases.”

Business Today article mentions that presently the airline owns 63 planes and a few have been returned to the lessors. However, the plane financing problem isn’t new. In September 2008, after the merger with Air Deccan,in financial results commentary KFA stated the following:

“Two aircraft have already been returned to Lessors with no additional cost, and the Company is in discussion for the return of a further eight aircraft. The impact of this capacity contraction will be visible during the second half of the Financial Year.”

After the merger, according to the Business Today article, the airline refused to take delivery of 5 Airbus A340-500. It had over 90 aircraft in Airbus books and no delivery was taken after 2008. This is a case of investment plans made under a cloud of unknowing.

4. Financial Risk – Excessive Debt

In the December 2011 quarter unaudited financial results, signed by the Chairman Mr. Mallya, the following note is given:

The Company has incurred substantial losses and its net worth has been eroded. However, having regard to capital raising plans, group support, the request made by the Company to its bankers for further credit facilities, planned reconfiguration of aircrafts and other factors, these interim financial statements have been prepared on the basis that the Company is a going concern and that no adjustments are required to the carrying value of assets and liabilities.

KFA posted a loss of Rs 1027.39 crore (USD 205.95 million) in December 2011 quarter. As of 31 March 2011, its net worth was negative at Rs 3633.08 crore (USD 728.29 million). It was last positive in March 2008, and now the picture is dismal. Presently, KFA has a total debt of Rs 7057.08 crore (USD 1414 million) and total accumulated losses of Rs 6000 crore (USD 1202 million). The banks refuse to extend further credit as the non-performing assets (NPA) will jeopardize the profitability and liquidity of the banks.

Here it is a clear case of excessive debt and poor cash flow management systems. The situation has gradually worsened from March 2008 and in three years the capital is completely eroded. A better financial risk management may have helped mitigate the problem. It appears no one in the company was monitoring the risk dashboard. Maybe they were flying high on optimism.

5. Operational Risk – Fuel Costs

It’s a well know fact in aviation industry that most airlines nosedive due to high fuel costs. The rise in fuel costs are an uncontrollable risks as the price of petrol is set internationally. Additionally, in India, states charge heavy sales tax on petrol. Hence, the fuel costs are much higher in India. KFA annual report of 31 March 2011 acknowledges this issue:

Aircraft fuel expenses: Expenditure on fuel stood at Rs. 2274 crore (USD 456 million) during the twelve month period from April 2010 to March 2011 accounting to 28% of the total costs. While the average fuel prices have come down from a high of Rs. 74 per litre in August 2008, prices have steadily risen through the year and ended 34% higher than prices at beginning of the year.

As given in the commentary on the results for the half-year ended 30th September 2008, KFA was aware of the problem.:

The Aviation Industry is going through a challenging phase globally, driven primarily by spiraling fuel costs, which hit an un-precedent USD 147 per barrel in July 2008. The Indian industry was hit more adversely due to the cumulative impact of Customs Duty and Sales Tax on account of this sharp increase in international fuel prices. The average price of ATF in the six month period from April to September 2008 increased by about 60%. The impact on Kingfisher Airlines alone was to the tune of Rs.640 Crores (USD 128 million).

Most airlines to recover fuel costs increase the number of seats in the aircraft by better use of space. KFA couldn’t do it, as it projected itself as luxury class. Despite enjoying an occupancy rate of 75-85%, the company failed to break-even. Although the management was aware of the truculent factors in aviation industry it failed to take preemptive measures timely.

Closing Thoughts

A look at the 31 March 2011 year-end annual report reveals that KFA had 7-8 directors, with just one executive director. The audit committee had 3-4 directors and didn’t seem active, since there were just 4 meetings during the year. Since inception of the company, three CEOs have come and gone. Mr. Vijay Mallya, the Chairman, controls the company. The board of directors have not actively participated in charting the route of the company. Hence, pilot of the company is responsible for the downward spiral of KFA. As the banks and government refuse to give a life jacket to KFA, the probability of safe landing is low.

Organizations invest huge amounts in running numerous programs to improve operations, culture and profitability of the company. For instance, programs cover technology implementation, building social networks, improving employee engagement and corporate social responsibility initiatives. Some programs give good return on investment while others dwindle without much success. The success and failure of a program appreciably depends on effective change management.

Even for information technology programs, various survey reports show success-failure ratio as 50-50 percentage. Failure results in cost overruns and delay in project schedule besides low employee morale. A few reports indicate just around 20% of the programs are successful in the first effort in all respects. The differentiating factor, with technology and implementation capability being the same, is change management skills. Lack of focus on change management risks results in program failure.

Before discussing some key aspects of program change management risks, let us understand the reason for the same. Change causes insecurities to surface, hence sows the seeds of conflict and discord. On start of a program, people do not understand the reason for change. They are unable to assess what is at stake and what success looks like. Moreover, people respond differently to change. Idea of change gets supporting, skeptical and scornful reactions. If not handled carefully, different groups within the organization prepare battle plans to sabotage the program.

Hence, change management strategy is an essential component of program implementation. Given below are some of the risks on the same.

1. Senior Management Involvement

For approval of the program, the program manager shakes hands with all the senior managers to get their buy-in. Managers assume that the senior management commitment will continue after approval. However, this is rarely the case. With time, commitment will wane if senior managers do not understand the direction of the program and/ or start giving priority to other programs. Hence, program managers need to monthly/ fortnightly update the senior managers through review meetings and reports on the status and plans of the program.

Additionally, users and employees need to see senior managers demonstrate commitment to the program i.e. walk the talk. Program managers need to leverage opportunities to show senior management support for the program. Develop a leadership plan to ensure senior managers become champions of the program.

2. User/ Employee Adoption

The program managers gear most of the programs activities towards adoption by the users. For example, in building a risk culture, adoption of risk assessment template is a milestone. The point is change agents view program activities in isolation for pre-go-live stage without considering the overall impact on the organization. Programs influence strategy, process, technology, and people. Without synchronizing the four aspects, even with user acceptance, the program will be unsuccessful in the long run.

Second aspect to consider is the handholding and support after the go live stage. After implementation of a program, the users may still face some challenges or new problems and risks may arise. For continued success of the program a team is required to support it, else it will fizzle out.

3. Multiple Communication Channels

A program requires a good communication plan and failure in communication jeopardizes the program. Communication messages must be clear, straightforward and from the heart. The corporate jargon and meaningless mantras does not get buy in from senior management or users. For example, do not have a mission statement for an ethics program that sounds like this:

“The company’s mission is to be the most ethical organization in the world by adopting best practices, making it a great place to work and rewarding meritocracy”

Employees will roll their eyes on the above statement and consider it as management hyperbole. There is nothing actionable or measurable in the statement. Neither are the steps linked to ethics.

Another risk is failure of communication from senior management. Program managers assume that employees understand senior management commitment from strategy and other generic documents. However, adopters need to hear from senior management, their views and aspirations regularly.

Moreover, when programs run into problems, the initial reaction is to hide the bad news from the adopters. Clear concise communication on challenges being faced by program managers and support required, gets the program back on track. Communicate more often when program is running into trouble.

More importantly, change agents sometimes fail to listen to the adopters. Adopters’ feedback is critical for the success of the program. Understand their angry reactions, criticism and challenges. Develop plans to address them and not ignore them.

4. Training Plans

Standard training material is the bane of most programs. Change agents believe that once the training is imparted, their job is done. Some pieces are overlooked in training plans and I have mentioned these before in a post. These are:

People have different learning patterns.

People are at different stages of learning – beginner, learner, manager, and expert.

People do not remember the training for long unless they start using the information in practical work.

Old habits are hard to break; hence, people revert to old patterns of working if not monitored.

Last but the not least, is the content of the training. For example, fraud awareness training is a double-edged sword. The users, who didn’t know a word about fraud, now have some idea on how frauds are conducted. The information can be misused. Moreover, an overload of information may create panic reactions in users. Hence, when to deliver training and what information to give are critical decisions for successful program implementation.

5. Reward & Recognition System

For a program to be successful, set up a clear system about reward and accountability for the adopters. Failure to establish a system will result in rewarding mediocrity rather than meritocracy. Further, without implementing a penalty criterion, there is no downside for wrongdoing. Hence, maintain a balance between reward and punishment.

For instance, in an ethics program, build a system of bonus points at time of appraisal for meeting business objectives in an ethical way. If a manager had the option of choosing an unethical means to achieve an objective faster but selected an ethical way though had to work harder, award him/her bonus points. On the other hand, award penalty points to a manager who chose unethical means.

6. Dealing with Failure

Sometimes, despite best efforts the program team stares at the face of failure. People adopt inflexible approach and refuse to acknowledge the logical benefits of the program. They foresee their personal and political agendas negatively impacted, hence refuse to contribute to the shared purpose of the organization. The situation reminds me of an old joke.

A man bought a parrot as a pet. To his dismay, the parrot had a bad attitude and spoke foul language. The man tried to teach the parrot to behave but the parrot refused to change. One day in a fit of anger the man put the parrot in the freezer. He heard the parrot screaming and abusing for a couple of minutes, then there was silence. The man opened the door of the freezer, the parrot trotted out and said – “I beg your forgiveness for speaking rudely. I promise to behave properly.” The man was amazed at the transformation. Then the parrot said – “May I ask, what did the chicken do?”

To avert sudden failure periodically conduct organization surveys to understand the acceptability of the program and organization readiness for the next stage. Measure the behavior and sentiment change due to the program. Do not rush to the next stage without ensuring that adopters connect with the program in the existing stage.

7. Awareness of Retaliation

Situations can get out of hand when people start retaliating against the program manager and his/her team. Some programs are launched for appearances sake. For example, senior management may approve a program for business ethics, diversity or employee participation. However, when the change agents sincerely attempt to run the program to bring about a cultural change in the organization, they get mobbed by the employees. In this case, the junior employees start complaining that the change agents are pressurizing, bullying and forcing them to change. This impacts the heart of the program and the change agents spend most of the time defending their actions. The senior management doesn’t really want change, hence looks the other way or gives tacit approval to derail the program and mob the change agents.

In such cases, the change agents have to pay a high price, but the seeds of change are sown. People recognize that there is a better way of doing things, and gradually move towards light.

Closing Thoughts

Change is difficult. We ourselves find it difficult to change, so getting others to change is an obstacle race. As Mahatma Gandhi said on leading the non-violent Indian independence movement – “First they ignore you, then they laugh at you, then they fight you and then you win.” Being a change agent is a test of stamina, perseverance, discipline and sacrifice. There are no low hanging fruits to pluck, no short-term rewards, no personal glory, however, in the end organization benefits.

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -“Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1. Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3. Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability. Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high. Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.

Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently? Should the audit committees function differently to help the CEO and board members perform better?

I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?

1. Formation of Audit Committee

Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations. The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.

Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”

Another challenge is getting independent directors with the right industry experience and expertise. To illustrate,in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.

Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?

Additionally, the value-add provided by the audit committee members is sometimes questionable. I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations, in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.

Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.

2. Selection & Appointment of External Auditors

The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee. .

Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:

In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.

85% of the companies in EU are audited by big four.

99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.

Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.

I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.

I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.

3. Relationship with Chief Audit Executive

Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.

Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.

Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee? Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?

Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?

My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.

4. Challenging Board Decisions

Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.

A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–

“The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.

SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.

The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team

5. Evaluation of Finance Function

Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board. Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:

“Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:

Compliance with accounting standards and changes in accounting policies and practices;

Major accounting entries involving estimates based on exercise of judgment by Management;

Audit Qualifications and significant adjustments arising out of audit;

Analysis of the effects of alternative GAAP methods on the financial statements;

Compliance with listing and other legal requirements concerning financial statements;

Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;

Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;

Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”

Hence, it is crucial to evaluate the performance of finance function.

As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.

Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:

Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.

Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.

Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.

Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.

In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports. From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.

6. Nature of External Reporting

The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.

In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.

Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.

The business benefits for upholding transparency are huge.

The market value of shares increases. Velocity of share trading is also higher than other companies.

Financial institutions show more propensities to invest.

Foreign investors – institutional and individual – are open to trading in the shares.

The companies have lower legal and regulatory costs as regulators are comfortable.

The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance, Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.

In my view, audit committees should focus more on the extent and level of external reporting. To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.

7. Information Available with Audit Committees

Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest, cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.

Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.

However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.

Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:

Interact with external and internal auditors of subsidiary companies directly

Hold discussions with senior and middle managers were required of various business units

Discuss with company secretary all legal and compliance challenges

Discuss with ethics officer the key issues on maintaining code of conduct

Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.

Review in detail all documentation relating to material transactions, acquisitions and mergers.

Travel to other offices and locations to understand business operations.

This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.

8. Effectiveness of Risk Management Programs

The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.

Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.

Let me take some of the challenges of risk management in the financial industry:

Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.

Risk managers do not strong relationships with business teams

Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.

During the financial crises some of the key examples were –

Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.

Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.

AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.

Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.

In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?

9. Assessing Risk Culture

Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.

Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.

Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.

To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing. The question remains, can audit committees help them in doing so?

Audit committees in my view can assess the risk culture by focusing on:

Remuneration of key personnel, including the bonus component linked to performance.

Code of business ethics adopted and implemented by the company

Analyzing the extent of reputation and regulatory risks the organization is facing

Reviewing reported ethical breaches

The amount of risk appetite board has determined it is willing to take to meet strategic objectives.

Transactions entered that reflect conflict of interest to some degree.

In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.

10. Internal Controls

Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.

As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls. Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.

Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making and managing business operations.

After gathering the abovementioned information, audit committees would be in a position to assess whether:

The right financial and operational areas were selected for internal controls review

Procedures and practices followed for assessing internal controls was sufficient.

Any areas require further review.

The reported control weaknesses are material

In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.

Closing Thoughts

Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.

I rest my argument here; share your opinion with me.

References:

Economic Times article – “Can the big four survive a break-up attempt”

Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore

Note For Readers

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, risk management advice, or other professional advice or services. Before making any decision or taking any action that may affect your business, you should consult a qualified risk manager. The author gives her permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at jaspal.sonia1@gmail.com